How do I GetSessionToken from AmazonSecurityTokenServiceClient created with temporary saml credentials?

Question

Here's what I'm trying to do-

var role = new AmazonSecurityTokenServiceClient(aws_access_key_id, aws_secret_access_key, aws_session_token, Amazon.RegionEndpoint.USWest2);

role.AssumeRole(new AssumeRoleRequest
{
    DurationSeconds = 3600,
    RoleArn = rolearn,
    RoleSessionName = sessionname
});

GetSessionTokenResponse sessionTokenResponse = role.GetSessionToken(new GetSessionTokenRequest
{
    DurationSeconds = 7200
});

Now my "role" is created with temporary credentials I obtained with saml. And it seems that since GetSessionToken provides you with temporary credentials, it needs "role" to be created with long term credentials. I can't seem to find a workaround for this.

Essentially, I'm trying to create an AmazonS3Client with assumed IAM role that has certain permissions. Here's what I plan to do if I manage to GetSessionToken-

var newcreds = sessionTokenResponse.Credentials;
var sessionCredentials = new SessionAWSCredentials(newcreds.AccessKeyId, newcreds.SecretAccessKey, newcreds.SessionToken);
AmazonS3Client newclient = new AmazonS3Client(sessionCredentials, Amazon.RegionEndpoint.USWest2);

score 0 · Answer 1 · answered Mar 28 '19 at 16:45

It is not possible to call GetSessionToken using credentials returned by AssumeRoleWithSAML. From AWS doc:

The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's GetFederationToken or GetSessionToken API operations.

How do I GetSessionToken from AmazonSecurityTokenServiceClient created with temporary saml credentials?

1 Answers1